CE Marking (Cybersecurity)

CE marking in a cybersecurity context documents that a product with digital elements meets the essential security requirements of the Cyber Resilience Act. The marking is a prerequisite for the product to be legally sold on the EU market and signals to both users and authorities that the product has undergone a security assessment.

Back to Dictionary

What is CE marking for cybersecurity?

The CE mark is already well known from product safety, toys and electronics. With the Cyber Resilience Act (CRA), the marking is extended to cover cybersecurity for products with digital elements.

When you see the CE mark on a software product or a connected device, it means the manufacturer has completed a conformity assessment and declares that the product meets CRA's essential requirements. This covers both security requirements for the product itself and requirements for vulnerability handling throughout the product's lifetime.

CE marking is not voluntary. It is a legal prerequisite for placing products with digital elements on the EU internal market. Without the marking, the product cannot be legally sold in the EU.

Requirements and conformity assessment

The process for obtaining CE marking under CRA follows a structured sequence. The manufacturer must:

Conduct a risk assessment of the product's cybersecurity properties
Ensure that the product complies with the essential requirements in CRA Annex I, including security by design and data minimisation
Prepare technical documentation, including a Software Bill of Materials (SBOM)
Carry out the relevant conformity assessment (self-assessment or third-party assessment)
Issue an EU declaration of conformity
Affix the CE marking to the product or its packaging

The documentation must be retained for at least ten years after the product is placed on the market. This places demands on your organisation's ISMS and document management.

Product categories and risk classes

CRA divides products into three categories, each with its own path to CE marking:

The standard category (default) covers the majority of products with digital elements. The manufacturer may carry out an internal conformity assessment (self-assessment) without involving an external body. This is the quickest and least costly route to CE marking.

Critical products, class I, include identity management software, VPN solutions and network administration tools. Here the manufacturer may still use self-assessment, but only if the product is certified under a recognised European standard. Otherwise, third-party assessment is required.

Critical products, class II, comprise the most security-sensitive products, such as firewalls, hardware security modules and industrial control systems. These always require third-party certification by a notified body. Penetration testing and thorough security evaluation are a fixed part of the process.

Regardless of category, the manufacturer must document all obligations under CRA and be able to present documentation upon inspection.

Consequences of missing CE marking

Market surveillance authorities in the EU Member States have the power to verify whether products bear valid CE marking. The consequences of missing or incorrect marking are significant:

The product may be prohibited from sale or required to be withdrawn from the market
Fines of up to EUR 15 million or 2.5% of global annual turnover
Publication of the infringement, which may damage the organisation's reputation

For organisations operating across the EU, CE marking is therefore not merely a regulatory requirement — it is a market access ticket. Organisations already working with technical and organisational measures under GDPR or NIS2 have a solid foundation to build upon.

Frequently Asked Questions about CE Marking (Cybersecurity)

What does CE marking for cybersecurity mean?

CE marking for cybersecurity means that the manufacturer declares the product meets the essential cybersecurity requirements of the Cyber Resilience Act (CRA). The marking provides users and authorities with visible evidence that the product has been assessed and approved for the European market.

When must products carry CE marking for cybersecurity?

The requirements are phased in from 2027. From that date, all products with digital elements sold on the EU market must bear CE marking as documentation of CRA compliance.

What happens if a product lacks CE marking?

Products without valid CE marking cannot be legally sold on the EU market. Market surveillance authorities may require the product to be withdrawn, and the manufacturer faces fines of up to EUR 15 million or 2.5% of global annual turnover.

Must all digital products undergo third-party certification?

No. Most products (the standard category) may use self-assessment, where the manufacturer documents compliance independently. Critical products in class I and class II, however, require involvement of a notified body for assessment.